Optimal dimensionality for quantum cryptography 



D.B.Horoshkcj] and S.Ya.Kilin 

Institute of Physics, Belarus National Academy of Sciences, F.Skarina Ave. 68, Minsk 220072 Belarus 

We perform a comparison of two protocols for generating a cryptographic key composed from 
d-valued symbols: one exploiting a string of independent qubits and another one utilizing d-level 
systems prepared in states belonging to d+1 mutually unbiased bases. We show that the protocol 
based on qubits is optimal for quantum cryptography, since it provides higher security and higher 
key generation rate. 
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Quantum cryptography is a technology allowing two 
distant parties to share a random string of symbols (cryp- 
tographic key) in such a way that any eavesdropping from 
the third party will cause a detectable disturbance. This 
can be achieved by using for communication quantum 
systems in states highly sensitive to measurement. Since 
its discovery by Bennett and Brassard (BB84 protocol) 
|EJ, quantum cryptography plays a central role in the 
field of quantum information processing 0], being the 
most experimentally advanced application in this field 
and serving as a 'testing ground' for new ideas || . In par- 
ticular, recently it has been shown that the exploiting of 
quantum systems of dimension higher than two (qudits) 
results in higher disturbance cost of information, making 
the protocol tougher to eavesdrop |J, |], [| 0, |J. This 
situation differs dramatically from that of classical infor- 
mation, where the length of the alphabet does not play 
any role, and therefore the most simple binary encoding 
is commonly used ||. 

However, the comparison between qubit and qudit pro- 
tocols seems to us to be incomplete, since the qudit en- 
coding is not compared to the case where a dit (d-valued 
symbol) is encoded in a sequence of independent qubits. 
Indeed, to share a key composed from dits (for simplic- 
ity we consider d — 2") the communicating parties can 
use the standard binary cryptographic protocol with the 
corresponding mapping of classical data, e.g. a four- 
valued symbol (quart) can be decomposed into two bits, 
an eight-valued symbol - in three bits et cetera. 

In the present paper our aim is to consider the protocol 
for distributing a 2™-letter cryptographic key by means 
of 6-state protocol for qubits [ll] and to compare it 
to the protocol utilizing 2™-level quantum systems with 
states chosen from mutually unbiased bases ||, [||g| @U ■ 
Our comparison will be significant for two practical prob- 
lems. On one hand, if one has two-level systems, such as 
single photons with different polarizations, one can com- 
pose a 2"-level system from a sequence of n qubits, but 
the access to any state in the Hilbert space of such a 
system will require entanglement between the qubits, i.e. 
an additional quantum resource. Our analysis will show, 



how much one gains with respect to security and the key 
generation rate in exchange to this resource. On the other 
hand, if one has a 2™-level system, one can represent its 
Hilbert space as a direct product of n two-dimensional 
systems, and use it for standard cryptography based on 
qubits, restricting oneself to factorizing states of n sub- 
systems. Our analysis should show if this strategy yields 
any benefice. 

Let us first recall the details and notations of the 6- 
state extension of BB84 protocol for quantum cryptogra- 
phy [IlJ . In this protocol the sender (Alice) generates 
a random bit and encodes it in a state of a qubit, choos- 
ing randomly one of three possible bases. The first basis 
is denoted as |0) and |1). The other two are 
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The qubit is sent to the receiver (Bob), who measures it 
in a randomly chosen basis. This procedure is repeated 
many times. After the public disclosure of bases, cho- 
sen by Alice and Bob, both parties keep only those bits 
for which the bases coincide. In this way Alice and Bob 
generate a shared random string of bits. A part of this 
string can be communicated via public channel to deter- 
mine Bob's disturbance - the percentage of incorrectly 
received bits. On the basis of the measured disturbance a 
standard procedure of privacy amplification is performed 
in order to decrease the information of possible eaves- 
dropper |l2|) . As a result, a secure shared cryptographic 
key is generated. 

The same protocol can be used for generating a cryp- 
tographic key composed from 2™-valued symbols. Alice 
generates a random string of symbols, writes each sym- 
bol in binary and communicates with Bob as described 
above. After the binary key is generated, each n succes- 
sive bits are mapped back into 2™-valued symbols. Now 
we need to consider how this protocol is affected by inter- 
vention of an eavesdropper (Eve) . We restrict ourselves 
to individual attacks, for which at most one qubit at a 
time is attacked. 
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Eve can exploit different strategies for individual 
eavesdropping, e.g., the simple intercept-resend strategy, 
where she intercepts a qubit, measures it in a random 
basis and resends to Bob a qubit, prepared in the mea- 
sured state. In this way Eve gains some information in 
exchange to disturbance introduced into Bob's key. In or- 
der not to be detected, Eve is interested in increasing her 
information and decreasing the Bob's disturbance. The 
best known at present strategy for that end is the asym- 
metric cloning of qubit || |7[ |sj . In this type of attack 
Eve attaches to the Alice's qubit two additional qubits 
denoted E and M, performers a unitary transformation 
of all three qubits, and sends the first qubit further to 
Bob, keeping the other two. After the disclosure of bases 
used by Alice and Bob, Eve measures her two qubits in 
the basis chosen by Alice. The cloning transformation, 
written in "correct" basis, is [pi: 
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where the two states of the basis are denoted as |-0o) = |0) 
and \ip\) = 1 1) , and the summation in index is taken mod- 
ulo 2. The real positive numbers a and (3 are parameters 
of the cloning machine, they satisfy the relation 



a 2 + af3 + /3 2 = 1. 



(4) 



The first term in the r.h.s. of Eq. (g) corresponds 
to Bob having no error, while the second term corre- 
sponds to a flip of Bob's qubit. After the measurement 
of her qubits Eve accepts the value of the measurement 
of qubit E as the corresponding bit in the eavesdropped 
key. There are three possible outcomes of measurements 
by Eve and Bob of the state described by Eq. (^): (i) 
Eve and Bob receive correct values of Alice's bit with 
probability po — (a + (3) 2 /2; (ii) Bob receives the correct 
value, but Eve receives the incorrect one with probability 
p e = a 2 / '2; and, finally, (iii) Bob receives the incorrect 
value, while Eve receives the correct one with probability 
Pb — /3 2 /2. Bob in no way can guess which of the cases 
takes place (without revealing his bit to Alice). In the 
meanwhile, Eve can distinguish first two cases from the 
third one by comparing the outcomes of measurements 
of her two qubits E and M, Let us denote the difference 
(modulo 2) of these outcomes as m. If the outcomes co- 
incide (m = 0), then the first or the second case occurs, 
if they differ (to = 1), then the third one takes place. 
Given to = Eve's probability to get the correct value is 
q = pa/ipo +Pe)- On the basis of these probabilities one 
can calculate information got by Bob and Eve. We per- 
form this calculation for keys composed from 2™-valued 
symbols. 

First we consider the case of n = 2. In this case two 
qubits are used for sending a 4- valued symbol (quart). 



Eve clones each qubit separately, measures her qubits in 
correct basis and keeps the values of E qubits for her 
key. Besides she calculates differences of outcomes of 
measuring her qubits E and M - m-i for the first qubit 
and TO2 for the second one. Four possible cases should 
be distinguished depending on the values of mi and 7712. 
Let us suppose, without loss of generality, that the value 
00 was sent by Alice. Then the four cases are as follows. 

For toi = m-2 = 0, which happens with probability 
£00 = (po+Pe) 2 , the distribution of Eve's quart is P^°^ = 
(q 2 , q(l — q), q(l — q), (1 — q) 2 ), while that of Bob's one 
is P B 00 ^ — (1,0,0,0). Here we write the distribution in 
the vector form (poOjPoiiPiOjPn), where pij denotes the 
probability for quart to have value ij in binary notation. 

Similarly, for mi = 0, TO2 = 1 (first bit being the major 
one), which happens with probability £01 = Pb(po + Pe), 
we have P^ 01) = (q, 0, 1 - q, 0), P B 01} = (0, 1,0, 0). 

For toi = 1, to 2 = 0, which happens with probability 

£10 = Pb(po +Pe), we have P E W) = (q, 1 - q, 0, 0), P B W) = 
(0,0,1,0). 

And, finally, for toi = m2 = 1, which happens with 
probability 61 = Pb, we have P [ E W) = (1, 0, 0, 0), P [ B W) = 
(0,0,0,1). 

Now we are ready to calculate the information on Al- 
ice's quart received by Bob and Eve. This information is 
calculated as / = 2 — H(P), where H(P) is the Shannon 
entropy function calculated for the distribution P: 



H{P) = - Pv l °S2Pij- 



(5) 



However, averaging over toi and TO2 is performed dif- 
ferently for Bob and Eve. Bob does not know the 
values of toi and TO2, and therefore for him the aver- 
age distribution (Pb) = Y^£ijP B is found first, and 
then the information for this distribution is calculated 
Ib = 2 — H((Pb))- Eve, on the contrary, knows the val- 
ues of toi and TO2 and her information is calculated for 
each case and then averaged: Ie = 2 — (if (Pe)). In this 
way we obtain 



(Pb) 
Ib 
Ie 



((1 -p b ) 2 ,p b {l -p b ),p b (l -Pb),pl) , (6) 
2 - 2h(p b ), (7) 
2-2h(q)(l-p b ), (8) 



where h(q) = — <zlog 2 q— (1 — q) log 2 (l — q). Informations 
of Bob and Eve are exactly twice that for the case of bits, 
as could be expected. If one considers the dependence of 
Ib and Ie from pb (note that q can be expressed through 
p e , using Eq. (Q)), one finds that Ib decreases with pb 
while Ie increases. The intersection of two curves defines 
the border value of pb, below which Bob's information 
exceeds Eve's one and therefore the standard procedure 
of privacy amplification if applicable. This value is the 
solution of equation 



2-2h(pb) = 2-2h(q){l-p b ), 



(9) 



3 



and is the same as for the 6-state protocol for quantum 
cryptography with qubits, pt — 0.1564. In the case of 
generating binary key pb has the sense of disturbance, 
i.e. probability for Bob to get incorrect symbol in his 
key. In the case of cryptography with quarts, considered 
here, the intersection of two curves occurs at the same 
value of pb, but the border disturbance is now 
1 — (1 — pb) 2 = 0.2883. The growth of disturbance reflects 
the fact that an incorrect quart can be received when only 
one bit is wrong and another one is correct. This point 
was mentioned in Ref . jllj , but did not deserve a detailed 
consideration up to now. 

The considered cryptographic protocol for generating a 
key consisting from quarts can be compared to the proto- 
col where 5 mutually unbiased bases in four-dimensional 
Hilbert space are used [?], |). In the latter protocol 
Alice and Bob use for encoding such bases that the over- 
lap of two any states from different bases is the same. 
The rest of the protocol resembles BB84. The use of mu- 
tually unbiased bases guarantees that no information on 
the encoded symbol is got if an incorrect basis is chosen 
for measurement. Therefore the protocol implementing 
such bases should provide the best security for cryptogra- 
phy with qudits. The analysis of eavesdropping by means 
of asymmetric cloning of qudits shows that in this case 
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(1 - D,D/3,D/3,D/3), 
2 



(10) 



D 



l-D)log 2 (l-D)+Dlog 2 j, (11) 



2 + (l-D)(l-/z) log 2 (l-/x) 
+(1 - D)fMl0g 2 |, 



(12) 



where fi = De/(1 — D), D and De being Bob's and 
Eve's disturbances respectively, connected by the follow- 
ing parametric relations: De = 3a 2 /4, D = 3/3 2 /4, 
where a and (3 are real positive parameters of the cloning 
machine for four-level quantum systems, satisfying the 
normalization relation 



a 2 + ^a(3 + (3 2 = 1. 



(13) 



The solution of equation Is = Ie in this case gives the 
result D (4) = 0.2666. We see that < £K 4 ), that 
is the cryptographic protocol exploiting qubit pairs for 
generating a key of quarts is more secure against eaves- 
dropping attacks, than the protocol, utilizing four-level 
systems prepared in one of 5 mutually unbiased bases. 
Besides, the former protocol provides higher key genera- 
tion rate, since 1/3 of systems is used for the key, against 
1/5 in the latter case. 

This result is easily generalized to any value of n. If a 
sequence of n qubits is used for generating a key of 2 n - 
valued symbols, then Bob's disturbance corresponding to 
intersection of informational curves for Bob and Eve is 
Z)( 2 ") — 1 — (1 — 0.1564)™. The corresponding distur- 
bance D^ 2 > for the case where 2 ra -dimensional systems 
are used, being prepared in a state chosen from 2™ + 1 



mutually unbiased bases, is calculated as a solution of 
equation Is = Ie where ||, 

1 B = n+(l-D)log 2 (l-D) + Dlog 2 ^- [ ,(lA) 

(15) 



n+(l-^)(l- M )log 2 (l-/i) 
+(l- J D)/xlog 2 ^L, 



where again \x — De/{1 ~ D), but this time D and De 
are connected by equations De = (1 — 2~ n )a 2 , D = 
(1 - 2-")/3 2 , where 
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+ —- 1 a(3 + (3 2 = l. 



(16) 



The both disturbances D*- 2 ) and D^ 2 \ calculated nu- 
merically, are plotted in Fig.l as functions of n. The plot 
shows, that D^ 2 > is always greater than D^ 2n \ i.e. a 
protocol based on qubits is more secure than that based 
on qudits. Note that for symbols with more than two 
values the disturbance is not limited by 1/2. 
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FIG. 1: The border disturbance for sharing a key composed 
from 2"-valued symbols, using qubits (crosses) and 2™-level 
systems (circles). 

One could conjecture that a sequence of qubits encod- 
ing one quart could be effectively eavesdropped by a col- 
lective attack. But this is not so, since any collective at- 
tack produces correlation between attacked qubits, and 
therefore can be easily detected by Bob. Undetectable 
collective attack should address randomly chosen qubits, 
i.e. it may to be expected to be equally successful for 
qubits and qudits. Moreover, it is still unclear at present, 
if collective attacks are more effective than individual 
ones Q. 

We conclude that the optimal dimensionality for quan- 
tum cryptography is 2, i.e. two-dimensional systems are 
the best tool for information encoding, like in the classical 
information theory. This result leads us to two practical 
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recommendations concerning implementation of quan- 
tum cryptography. First, if one has two- level systems 
available for quantum cryptography, there is no sense in 
entangling them for producing systems of higher dimen- 
sions. Second, if one has multilevel systems at hand, it is 
more profitable to decompose the states of each system 
into direct product of two-dimensional spaces and use 



them for standard cryptographic protocol with qubits. 
This strategy provides better security and better key gen- 
eration rate. 
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